Top 5 operating systems for your Docker infrastructure

Recently we covered how CoreOS can be a great operating system for secure, scalable Docker based infrastructure. Docker docs says that you can get Docker working in 11 major operating systems that include RHEL, Ubuntu, openSUSE, Arch Linux, and others. However, these operating systems follow the traditional "heavy" footprint architectures, and not the best fit for container based services.

Docker containers just need a Linux kernel that supports resource limiting, and not many of the default services and kernel features that the traditional full-features operating systems ship with. This led to the rise of minimal operating systems optimized for containers. Here we'll take a look at the top 8 tiny operating systems that are a good fit for your Docker infrastructure.

CoreOS

CoreOS is a production-ready operating system optimized for Docker. CoreOS focuses on security and scalability in its architecture. It comes pre-packaged with features which enables you can easily build and manage a cluster of Docker containers. Some of these are:

• Service discovery : Using a service called etcd, CoreOS automatically detects a new Docker container that is brought online. Then it adds the container to the production service cluster, enabling faster scaling up of the infrastructure.
• Cluster management : Managing production services spread over a lot of Docker containers can be a pain. CoreOS makes it easy with its "fleet" service. For large scale deployments, it comes with a tool called Kubernetes which does load balancing, container replication, and more out of the box. I feel this focus on scalability and distributed computing is the best feature of CoreOS.
• Auto-updates : Security of Docker containers in CoreOS is ensure through automatic kernel updates. CoreOS eliminates service downtime in Docker clusters by co-ordinating reboots with other nodes in the cluster.

Project Atomic / RHEL Atomic Host

Red Hat reacted to the market demand for minimal OS by releasing RHEL Atomic Host. Atomic Host sources its container technology from Project Atomic, and has out-of-the-box support for Docker. CentOS Atomic and Fedora Atomic are the other off-shoots to Project Atomic. If you are already running a Red Hat compatible server infrastructure, moving to Atomic Host based Docker infrastructure might be the path of least resistance.

Red Hat brings with it a certain level of reliability and product maturity. Docker infrastructure based on Atomic Hosts have the following features:

• Atomic updates : Red Hat uses a feature called Atomic Updates to keep the server OS updated. The package manager is called rpm-tree and allows you to roll-back an update if the latest update broke anything. This makes sure that you can always run a reliable OS instance for your Docker containers.
• SELinux : SELinux is a proven way to enhance server security. With Atomic Hosts you have one more layer of security to make sure your Docker containers are bullet proof.
• Kubernetes and Flannel : These packages allow creation of Docker container clusters which can be easily scaled with simple command line tools.
• Cockpit : Cockpit is a easy-to-use web front end to manage Docker containers across multiple servers. This tool makes it easy to monitor and administer your infrastructure from a central location. I feel this feature holds good potential in the popular adoption of Atomic Hosts.

Snappy Ubuntu Core

Ubuntu joined the container native operating systems market with the release of Snappy Ubuntu Core. Their stated goal is to deliver a fast, reliable and secure platform for large-scale cloud container deployments. Docker is not included by default, but it can be installed quite easily with:

$ sudo snappy install docker

If your current server infrastructure is based on Debian or Ubuntu, switching to Snappy Ubuntu should be familiar territory for you. The main features of Snappy Ubuntu are:

• Reliable updates : Snappy backs up all the Docker app data before an update, so that even if something goes wrong with an update, you can easily roll back to the previous state.
• Verified, transactional updates : Snappy uses delta images, which is to say it will download only what changed from the previous image for its kernel and app images. It makes the updates very fast, and versioned for roll-backs. Additionally, it uses signatures to make sure the images are not tampered with and stores them with read-only permissions. The innovation put into image management is undoubtedly the best feature of Snappy.
• AppArmor kernel security : Snappy uses AppAromor kernel security that completely isolates applications running on Docker containers, using easily configurable security profiles. So, even if one app has a vulnerability, other apps are shielded from it.

VMware Photon

VMware is a competitor of Docker. So why would VMware build Photon? Photon is best suited for cloud hosting providers who already has an extensive VMware based infrastructure. The resource usage savings won't be as good as a true light-weight container host, but it's a good trade off in case you want to avoid a major overhaul, but want to use container technology to streamline devops. Some of the features of Photon are:

• Container security : Photon is coupled with Project Lightwave which delivers authentication and authorization mechanisms that support LDAP, Kerberos, SAML and OAuth. Through Lightwave you can make sure that only authorized users can run authorized containers on specific hosts.
• Container isolation : Using Project Bonneville, Docker containers are started in separate hardware virtualized machines, so that it is fully isolated from one another. A security compromise in one of the containers in the Photon server cannot affect your container under any circumstance. For businesses that have stringent security guidelines, this feature would come as welcome news.
• Central management : If you are already familiar with VMware vCenter Server, you already know how to manage the Photon infrastructure. You can manage the whole Docker infrastructure from a convenient web interface.

RancherOS

As they say in their website, "If your primary requirement for Linux is to run Docker, RancherOS might be a good fit". It is essentially and OS made of Docker containers. It boots up using a Docker container called "System Docker", and then gives the users ability to create new containers using a sub-process called "User Docker". Its total size is only 20 MB, which makes it super secure, and very stable. The main features of RancherOS are:

• Security through minimalism : It was surreal for me to see that the OS was only 20 MB. With its tiny footprint, RancherOS offers a very small surface area for vulnerabilities and thereby exploit opportunities. Even if a vulnerability is detected, it can be patched in a jiffy and the container rebooted in less than 5 secs. From a security point of view this is pretty impressive.
• Simple updates and rollbacks : RancherOS uses Docker packaging to deliver updates to the operating system and all its packages. This makes updates very fast, and easy roll back if needed.

Conclusion

Major vendors are realizing the importance of container native operating systems to power Docker based infrastructure. Depending on your current server technology and DevOps capabilities, you now have a range of minimal operating systems to choose for your Docker based services.